DMARC: Putting It Together

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM to give domain owners control over what happens when authentication fails. It's the final piece of email authentication that tells receivers how to handle suspicious emails.

How DMARC Works

DMARC works by checking if an email passes either SPF or DKIM authentication and if the authenticated domain aligns with the From address:

1. Email arrives — Receiving server performs SPF and DKIM checks
2. Alignment check — Server verifies the authenticated domain matches the From domain
3. Policy lookup — Server queries your DMARC record for instructions
4. Action taken — Based on your policy (none, quarantine, reject)
5. Report sent — Aggregate report sent to your specified address

DMARC Policies

DMARC has three policy levels that tell receivers what to do with failing emails:

Policy	Action	When to Use
p=none	Monitor only, deliver normally	Starting out, gathering data
p=quarantine	Send to spam/junk folder	Intermediate step, testing
p=reject	Reject the email entirely	Full protection

DMARC Record Syntax

DMARC is published as a TXT record at _dmarc.yourdomain.com:

_dmarc.example.com.  IN  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

DMARC Tags

Tag	Required	Description	Example
v	Yes	Version (always DMARC1)	v=DMARC1
p	Yes	Policy for domain	p=reject
sp	No	Policy for subdomains	sp=quarantine
rua	No	Aggregate report address	rua=mailto:dmarc@example.com
ruf	No	Forensic report address	ruf=mailto:forensic@example.com
pct	No	Percentage of emails to apply policy	pct=50
adkim	No	DKIM alignment mode	adkim=s (strict) or r (relaxed)
aspf	No	SPF alignment mode	aspf=s (strict) or r (relaxed)

Example DMARC Records

# Monitoring only (starting point)
v=DMARC1; p=none; rua=mailto:dmarc@example.com

# Quarantine with 50% enforcement
v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@example.com

# Full rejection with strict alignment
v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:dmarc@example.com

# Different policy for subdomains
v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com

Understanding Alignment

DMARC requires that the domain in SPF or DKIM authentication aligns with the From address domain:

SPF Alignment

The domain in the envelope-from (Return-Path) must match the From header domain.

DKIM Alignment

The domain in the DKIM signature (d=) must match the From header domain.

Relaxed vs Strict

• Relaxed (default) — Organizational domain must match (subdomain.example.com aligns with example.com)
• Strict — Exact domain must match (subdomain.example.com does NOT align with example.com)

DMARC Reports

Aggregate Reports (RUA)

Daily XML reports from receivers showing authentication results for your domain. These help you understand who's sending email as your domain.

Forensic Reports (RUF)

Detailed reports about individual authentication failures. Note: Many receivers don't send forensic reports due to privacy concerns.

Implementation Guide

Step 1: Start with Monitoring

_dmarc.example.com.  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@example.com"

Run this for 2-4 weeks to gather data on who's sending email as your domain.

Step 2: Analyze Reports

Review reports to identify:

• Legitimate services that aren't authenticated (fix their SPF/DKIM)
• Spoofing attempts (these should fail once you enforce)
• Forwarding issues (common with mailing lists)

Step 3: Move to Quarantine

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@example.com

Start with a low percentage and increase gradually.

Step 4: Full Enforcement

v=DMARC1; p=reject; rua=mailto:dmarc@example.com

Once you're confident all legitimate sources are authenticated.